From 12021f888725014173de7f164f84e96df6b50680 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 13:52:33 +0000 Subject: [PATCH 1/8] hosts page --- .../serverless/security-hosts-overview.md | 141 ------------------ raw-migrated-files/toc.yml | 1 - solutions/security/explore/hosts-page.md | 33 +--- 3 files changed, 2 insertions(+), 173 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-hosts-overview.md diff --git a/raw-migrated-files/docs-content/serverless/security-hosts-overview.md b/raw-migrated-files/docs-content/serverless/security-hosts-overview.md deleted file mode 100644 index ea81296f12..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-hosts-overview.md +++ /dev/null @@ -1,141 +0,0 @@ -# Hosts page [security-hosts-overview] - -The Hosts page provides a comprehensive overview of all hosts and host-related security events. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data, drill down for deeper insights, and interact with Timeline for further investigation. - -:::{image} ../../../images/serverless--management-hosts-hosts-ov-pg.png -:alt: Hosts page -:class: screenshot -::: - -The Hosts page has the following sections: - - -## Host KPI (key performance indicator) charts [host-KPI-charts] - -KPI charts show metrics for hosts and unique IPs within the time range specified in the date picker. This data is visualized using linear or bar graphs. - -::::{tip} -Hover inside a KPI chart to display the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")), where you can perform these actions: inspect, open in Lens, and add to a new or existing case. - -:::: - - - -## Data tables [host-data-tables] - -Beneath the KPI charts are data tables, categorized by individual tabs, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following data: - -* **Events**: All host events. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right. -* **All hosts**: High-level host details. -* **Uncommon processes**: Uncommon processes running on hosts. -* **Anomalies**: Anomalies discovered by machine learning jobs. -* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) and must be enabled to display the data. To learn more, refer to our [entity risk scoring documentation](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md). -* **Sessions**: Linux process events that you can open in [Session View](../../../solutions/security/investigate/session-view.md), an investigation tool that allows you to examine Linux process data at a hierarchal level. - -The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to [Manage detection alerts](../../../solutions/security/detect-and-alert/manage-detection-alerts.md). - -:::{image} ../../../images/serverless--getting-started-users-events-table.png -:alt: Events table -:class: screenshot -::: - - -## Host details page [host-details-page] - -A host’s details page displays all relevant information for the selected host. To view a host’s details page, click its **Host name** link in the **All hosts** table. - -The host details page includes the following sections: - -* **Asset Criticality**: This section displays the host’s current [asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md). -* **Summary**: Details such as the host ID, when the host was first and last seen, the associated IP addresses, and associated operating system. If the entity risk score feature is enabled, this section also displays host risk score data. -* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). -* **Data tables**: The same data tables as on the main Hosts page, except with values for the selected host instead of all hosts. - -:::{image} ../../../images/serverless--management-hosts-hosts-detail-pg.png -:alt: Host's details page -:class: screenshot -::: - - -## Host details flyout [security-hosts-overview-host-details-flyout] - -In addition to the host details page, relevant host information is also available in the host details flyout throughout the {{elastic-sec}} app. You can access this flyout from the following places: - -* The Alerts page, by clicking on a host name in the Alerts table -* The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table -* The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table -* The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table -* The **Events** tab on the Hosts and host details pages, by clicking on a host name in the Events table -* The **Host risk** tab on the host details page, by clicking on a host name in the Top risk score contributors table - -The host details flyout includes the following sections: - -* [Host risk summary](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-risk-summary), which displays host risk data and inputs. -* [Asset Criticality](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-asset-criticality), which allows you to view and assign asset criticality. -* [Insights](../../../solutions/security/explore/hosts-page.md#host-details-insights), which displays vulnerabilities findings for the host. -* [Observed data](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-observed-data), which displays host details. - -:::{image} ../../../images/serverless--host-details-flyout.png -:alt: Host details flyout -:class: screenshot -::: - - -### Host risk summary [security-hosts-overview-host-risk-summary] - -::::{admonition} Requirements -:class: note - -The **Host risk summary** section is only available if the [risk scoring engine is turned on](../../../solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). - -:::: - - -The **Host risk summary** section contains a risk summary visualization and table. - -The risk summary visualization shows the host risk score and host risk level. Hover over the visualization to display the **Options** menu (![Options menu](../../../images/serverless-boxesHorizontal.svg "")). Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. - -The risk summary table shows the category, score, and number of risk inputs that determine the host risk score. Hover over the table to display the **Inspect** button (![Inspect](../../../images/serverless-inspect.svg "")), which allows you to inspect the table’s queries. - -To expand the **Host risk summary** section, click **View risk contributions**. The left panel displays additional details about the host’s risk inputs: - -* The asset criticality level and contribution score from the latest risk scoring calculation. -* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert’s contribution score. - -If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. - -:::{image} ../../../images/serverless--host-risk-inputs.png -:alt: Host risk inputs -:class: screenshot -::: - - -### Asset Criticality [security-hosts-overview-asset-criticality] - -The **Asset Criticality** section displays the selected host’s [asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md). Asset criticality contributes to the overall [host risk score](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md). The criticality level defines how impactful the host is when calculating the risk score. - -:::{image} ../../../images/serverless--host-asset-criticality.png -:alt: Asset criticality -:class: screenshot -::: - -Click **Assign** to assign a criticality level to the selected host, or **Change** to change the currently assigned criticality level. - - -### Insights [host-details-insights] - -The **Insights** section displays [Vulnerabilities Findings](../../../solutions/security/cloud/findings-page-3.md) for the host. Click **Vulnerabilities** to expand the flyout and view this data. - -:::{image} ../../../images/serverless--host-details-insights-expanded.png -:alt: Host details flyout with the Vulnerabilities section expanded -::: - - -### Observed data [security-hosts-overview-observed-data] - -This section displays details such as the host ID, when the host was first and last seen, the associated IP addresses and operating system, and the relevant Endpoint integration policy information. - -:::{image} ../../../images/serverless--host-observed-data.png -:alt: Host observed data -:class: screenshot -::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 4dc414acb3..0325ed6fed 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -392,7 +392,6 @@ toc: - file: docs-content/serverless/security-examine-osquery-results.md - file: docs-content/serverless/security-get-started-with-kspm.md - file: docs-content/serverless/security-host-isolation-exceptions.md - - file: docs-content/serverless/security-hosts-overview.md - file: docs-content/serverless/security-ingest-data.md - file: docs-content/serverless/security-install-edr.md - file: docs-content/serverless/security-install-endpoint-manually.md diff --git a/solutions/security/explore/hosts-page.md b/solutions/security/explore/hosts-page.md index 15b24034be..36bf8f52e2 100644 --- a/solutions/security/explore/hosts-page.md +++ b/solutions/security/explore/hosts-page.md @@ -6,35 +6,6 @@ mapped_urls: # Hosts page -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/hosts-overview.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-hosts-overview.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$host-asset-criticality-section$$$ - -$$$host-details-flyout$$$ - -$$$host-details-insights$$$ - -$$$host-details-page$$$ - -$$$host-observed-data$$$ - -$$$host-risk-summary$$$ - -$$$security-hosts-overview-asset-criticality$$$ - -$$$security-hosts-overview-host-details-flyout$$$ - -$$$security-hosts-overview-host-risk-summary$$$ - -$$$security-hosts-overview-observed-data$$$ - The Hosts page provides a comprehensive overview of all hosts and host-related security events. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data, drill down for deeper insights, and interact with Timeline for further investigation. :::{image} ../../../images/security-hosts-ov-pg.png @@ -63,7 +34,7 @@ Beneath the KPI charts are data tables, categorized by individual tabs, which ar * **All hosts**: High-level host details. * **Uncommon processes**: Uncommon processes running on hosts. * **Anomalies**: Anomalies discovered by machine learning jobs. -* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. This feature requires a [Platinum subscription](https://www.elastic.co/pricing) or higher and must be enabled to display the data. Click **Enable** on the **Host risk** tab to get started. To learn more, refer to our [entity risk scoring documentation](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). +* **Host risk**: The latest recorded host risk score for each host, and its host risk classification. In {{stack}} 9.0.0+, this feature requires a [Platinum subscription](https://www.elastic.co/pricing) or higher. In serverless, this feature requires the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md). Click **Enable** on the **Host risk** tab to get started. To learn more, refer to our [entity risk scoring documentation](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). * **Sessions**: Linux process events that you can open in [Session View](/solutions/security/investigate/session-view.md), an investigation tool that allows you to examine Linux process data at a hierarchal level. The tables within the **Events** and **Sessions** tabs include inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to [*Manage detection alerts*](/solutions/security/detect-and-alert/manage-detection-alerts.md). @@ -95,7 +66,7 @@ The host details page includes the following sections: In addition to the host details page, relevant host information is also available in the host details flyout throughout the {{elastic-sec}} app. You can access this flyout from the following places: -* The Alerts page, by clicking on a host name in the Alerts +* The Alerts page, by clicking on a host name in the Alerts table * The Entity Analytics dashboard, by clicking on a host name in the Host Risk Scores table * The **Events** tab on the Users and user details pages, by clicking on a host name in the Events table * The **User risk** tab on the user details page, by clicking on a host name in the Top risk score contributors table From 1931ee0f798d39121368b97dd6172aab04ef0886 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 14:00:24 +0000 Subject: [PATCH 2/8] fixes links --- .../docs-content/serverless/ingest-aws-securityhub-data.md | 2 +- .../serverless/ingest-third-party-cloud-security-data.md | 2 +- raw-migrated-files/docs-content/serverless/ingest-wiz-data.md | 2 +- .../docs-content/serverless/security-alerts-manage.md | 2 +- .../security/advanced-entity-analytics/entity-risk-scoring.md | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md b/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md index 7775b9a7e0..76c470d619 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md @@ -13,4 +13,4 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit After you’ve completed these steps, AWS Security Hub data will appear on the **Misconfigurations** tab of the [**Findings**](../../../solutions/security/cloud/findings-page.md) page. -Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) flyouts. +Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. diff --git a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md index 2744f0f3fa..04c26a08ea 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md @@ -14,7 +14,7 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th ## Ingest third-party security posture and vulnerability data [_ingest_third_party_security_posture_and_vulnerability_data] -You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) flyouts. +You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#shost-details-flyout) flyouts. * Learn to [ingest cloud security posture data from AWS Security Hub](../../../solutions/security/cloud/ingest-aws-security-hub-data.md). * Learn to [ingest cloud security posture and vulnerability data from Wiz](../../../solutions/security/cloud/ingest-wiz-data.md). diff --git a/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md b/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md index 072eece73b..6e93de2a50 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md @@ -21,4 +21,4 @@ After you’ve completed these steps, Wiz data will appear on the **[**Misconfig :alt: Wiz data on the Findings page ::: -Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout) flyouts. +Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. diff --git a/raw-migrated-files/docs-content/serverless/security-alerts-manage.md b/raw-migrated-files/docs-content/serverless/security-alerts-manage.md index 6ad6d444ee..55cba4a2de 100644 --- a/raw-migrated-files/docs-content/serverless/security-alerts-manage.md +++ b/raw-migrated-files/docs-content/serverless/security-alerts-manage.md @@ -22,7 +22,7 @@ The Alerts page offers various ways for you to organize and triage detection ale ![View details button](../../../images/serverless--detections-view-alert-details.png "") * View the rule that created an alert. Click a name in the **Rule** column to open the rule’s details. -* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the [host details flyout](../../../solutions/security/explore/hosts-page.md#security-hosts-overview-host-details-flyout), or a user name to open the [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout). +* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the [host details flyout](/solutions/security/explore/hosts-page.md#host-details-flyout), or a user name to open the [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout). * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices. * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours. * Use the drop-down filter controls to filter alerts by up to four fields. By default, you can filter alerts by **Status**, **Severity***, ***User**, and **Host**, and you can [edit the controls](../../../solutions/security/detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to use other fields. diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md index 5eee0076b7..e7ad0eec65 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md @@ -39,7 +39,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri When [turning on the risk engine](turn-on-risk-scoring-engine.md), you can choose to also include `Closed` alerts in risk scoring calculations. :::: -2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](../explore/hosts-page.md#security-hosts-overview-host-risk-summary). +2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/explore/hosts-page.md#host-risk-summary). 3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. | Asset criticality level | Default risk weight | From 29a3b29c752cd969919db676601b0eca28240725 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 14:02:30 +0000 Subject: [PATCH 3/8] fix typo --- .../serverless/ingest-third-party-cloud-security-data.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md index 04c26a08ea..a8edc28369 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md @@ -14,7 +14,7 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th ## Ingest third-party security posture and vulnerability data [_ingest_third_party_security_posture_and_vulnerability_data] -You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#shost-details-flyout) flyouts. +You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. * Learn to [ingest cloud security posture data from AWS Security Hub](../../../solutions/security/cloud/ingest-aws-security-hub-data.md). * Learn to [ingest cloud security posture and vulnerability data from Wiz](../../../solutions/security/cloud/ingest-wiz-data.md). From 57091b999a9bb758d11977dcfd7caa4b065f8cb9 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 14:07:22 +0000 Subject: [PATCH 4/8] fixes link --- .../security/advanced-entity-analytics/entity-risk-scoring.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md index e7ad0eec65..30a5d388e5 100644 --- a/solutions/security/advanced-entity-analytics/entity-risk-scoring.md +++ b/solutions/security/advanced-entity-analytics/entity-risk-scoring.md @@ -39,7 +39,7 @@ Entities without any alerts, or with only `Closed` alerts, are not assigned a ri When [turning on the risk engine](turn-on-risk-scoring-engine.md), you can choose to also include `Closed` alerts in risk scoring calculations. :::: -2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/explore/hosts-page.md#host-risk-summary). +2. The engine groups alerts by `host.name` or `user.name`, and aggregates the individual alert risk scores (`kibana.alert.risk_score`) such that alerts with higher risk scores contribute more than alerts with lower risk scores. The resulting aggregated risk score is assigned to the **Alerts** category in the entity’s [risk summary](/solutions/security/explore/hosts-page.md#host-risk-summary). 3. The engine then verifies the entity’s [asset criticality level](asset-criticality.md). If there is no asset criticality assigned, the entity risk score remains equal to the aggregated score from the **Alerts** category. If a criticality level is assigned, the engine updates the risk score based on the default risk weight for each criticality level. The asset criticality risk input is assigned to the **Asset Criticality** category in the entity’s risk summary. | Asset criticality level | Default risk weight | From 8dacc933e62c704c8972dbe0d9bcc72c8a56e22b Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 14:21:35 +0000 Subject: [PATCH 5/8] network page --- .../security-network-page-overview.md | 81 ------------------- raw-migrated-files/toc.yml | 1 - solutions/security/explore/network-page.md | 9 +-- 3 files changed, 1 insertion(+), 90 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-network-page-overview.md diff --git a/raw-migrated-files/docs-content/serverless/security-network-page-overview.md b/raw-migrated-files/docs-content/serverless/security-network-page-overview.md deleted file mode 100644 index 8a28e73032..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-network-page-overview.md +++ /dev/null @@ -1,81 +0,0 @@ -# Network page [security-network-page-overview] - -The Network page provides key network activity metrics in an interactive map, and network event tables that enable interaction with Timeline. You can drag and drop items of interest from the Network view to Timeline for further investigation. - -:::{image} ../../../images/serverless--getting-started-network-ui.png -:alt: getting started network ui -:class: screenshot -::: - - -## Map [map-ui] - -The map provides an interactive visual overview of your network traffic. Hover over source and destination points to show more information, such as host names and IP addresses. - -::::{note} -To access the interactive map, you must have the appropriate user role. To learn more about map setup, refer to [Configure network map data](../../../solutions/security/explore/configure-network-map-data.md). - -:::: - - -There are several ways to drill down: - -* Click a point, hover over the host name or destination IP, then use the filter icon to add a field to the filter bar. -* Drag a field from the map to Timeline. -* Click a host name to go to the Hosts page. -* Click an IP address to open its details page. - -You can start an investigation using the map, and the map refreshes to show related data when you run a query or update the time range. - -::::{tip} -To add and remove layers, click on the **Options** menu (**…​**) in the top right corner of the map. - -:::: - - - -## Widgets and data tables [map-widgets-tables] - -Interactive widgets let you drill down for deeper insights: - -* Network events -* DNS queries -* Unique flow IDs -* TLS handshakes -* Unique private IPs - -There are also tabs for viewing and investigating specific types of data: - -* **Events**: All network events. To display alerts received from external monitoring tools, scroll down to the events table and select **Show only external alerts** on the right. - -The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to [Manage detection alerts](../../../solutions/security/detect-and-alert/manage-detection-alerts.md). - -* **Flows**: Source and destination IP addresses and countries. -* **DNS**: DNS network queries. -* **HTTP**: Received HTTP requests (HTTP requests for applications using [Elastic APM](/solutions/observability/apps/application-performance-monitoring-apm.md) are monitored by default). -* **TLS**: Handshake details. -* **Anomalies**: Anomalies discovered by [machine learning jobs](../../../solutions/security/advanced-entity-analytics/anomaly-detection.md). - - -## IP details page [ip-details-page] - -An IP’s details page shows related network information for the selected IP address. - -To view an IP’s details page, click its IP address link from the Source IPs or Destination IPs table. - -The IP’s details page includes the following sections: - -* **Summary**: General details such as the location, when the IP address was first and last seen, the associated host ID and host name, and links to external sites for verifying the IP address’s reputation. - - ::::{note} - By default, the external sites are [Talos](https://talosintelligence.com/) and [VirusTotal](https://www.virustotal.com/). Refer to [Display reputation links on IP detail pages](../../../solutions/security/get-started/configure-advanced-settings.md#ip-reputation-links) to learn how to configure IP reputation links. - - :::: - -* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). -* **Data tables**: The same data tables as on the main Network page, except with values for the selected IP address instead of all IP addresses. - -:::{image} ../../../images/serverless--getting-started-IP-detail-pg.png -:alt: IP details page -:class: screenshot -::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 0325ed6fed..f6ceb9d598 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -405,7 +405,6 @@ toc: - file: docs-content/serverless/security-llm-performance-matrix.md - file: docs-content/serverless/security-machine-learning.md - file: docs-content/serverless/security-ml-requirements.md - - file: docs-content/serverless/security-network-page-overview.md - file: docs-content/serverless/security-osquery-placeholder-fields.md - file: docs-content/serverless/security-osquery-response-action.md - file: docs-content/serverless/security-overview-dashboard.md diff --git a/solutions/security/explore/network-page.md b/solutions/security/explore/network-page.md index a502ce4cb4..3b30337d8b 100644 --- a/solutions/security/explore/network-page.md +++ b/solutions/security/explore/network-page.md @@ -6,13 +6,6 @@ mapped_urls: # Network page -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/network-page-overview.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-network-page-overview.md - The Network page provides key network activity metrics in an interactive map, and network event tables that enable interaction with Timeline. You can drag and drop items of interest from the Network view to Timeline for further investigation. :::{image} ../../../images/security-network-ui.png @@ -26,7 +19,7 @@ The Network page provides key network activity metrics in an interactive map, an The map provides an interactive visual overview of your network traffic. Hover over source and destination points to show more information, such as host names and IP addresses. ::::{note} -To access the interactive map, you need either `Read` or `All` privileges for `Maps` (**Kibana Privileges** → **Analytics** → **Maps**). To learn more about map setup, refer to [Configure network map data](/solutions/security/explore/configure-network-map-data.md). +To access the interactive map in {{stack}} 9.0.0+, you need either `Read` or `All` privileges for `Maps` (**Kibana Privileges** → **Analytics** → **Maps**). In serverless, you must have the appropriate user role. To learn more about map setup, refer to [Configure network map data](/solutions/security/explore/configure-network-map-data.md). :::: From 6de5aab95ef95db0b43c4a1cba48e5909d4c2bc6 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 14:44:52 +0000 Subject: [PATCH 6/8] network map data --- .../serverless/security-conf-map-ui.md | 129 ------------------ raw-migrated-files/toc.yml | 1 - .../explore/configure-network-map-data.md | 20 +-- 3 files changed, 2 insertions(+), 148 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-conf-map-ui.md diff --git a/raw-migrated-files/docs-content/serverless/security-conf-map-ui.md b/raw-migrated-files/docs-content/serverless/security-conf-map-ui.md deleted file mode 100644 index 1a7c6c1fa9..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-conf-map-ui.md +++ /dev/null @@ -1,129 +0,0 @@ -# Configure network map data [security-conf-map-ui] - -Depending on your setup, to display and interact with data on the **Network** page’s map you might need to: - -* [Create data views](../../../solutions/security/explore/configure-network-map-data.md#kibana-index-pattern) -* [Add geographical IP data to events](../../../solutions/security/explore/configure-network-map-data.md#geoip-data) -* [Map your internal network](../../../solutions/security/explore/configure-network-map-data.md#private-network) - -::::{note} -To see source and destination connections lines on the map, you must configure `source.geo` and `destination.geo` ECS fields for your indices. - -:::: - - - -## Permissions required [prereq-perms] - -To view the map, you need the appropriate [predefined user role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](../../../deploy-manage/users-roles/cloud-organization/user-roles.md) with at least `Read` privileges for the `Maps` feature. - - -## Create data views [kibana-index-pattern] - -To display map data, you must define a [data view](../../../explore-analyze/find-and-organize/data-views.md) (**Project settings** → **Management** → **Data views**) that includes one or more of the indices specified in the `securitysolution:defaultIndex` field in advanced settings. - -For example, to display data that is stored in indices matching the index pattern `servers-europe-*` on the map, you must use a data view whose index pattern matches `servers-europe-*`, such as `servers-*`. - - -## Add geoIP data [geoip-data] - -When the ECS [source.geo.location and destination.geo.location](https://www.elastic.co/guide/en/ecs/current/ecs-geo.html) fields are mapped, network data is displayed on the map. - -If you use Beats, configure a geoIP processor to add data to the relevant fields: - -1. Define an ingest node pipeline that uses one or more `geoIP` processors to add location information to events. For example, use the Console in **Dev tools** to create the following pipeline: - - ```console - PUT _ingest/pipeline/geoip-info - { - "description": "Add geoip info", - "processors": [ - { - "geoip": { - "field": "client.ip", - "target_field": "client.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "server.ip", - "target_field": "server.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "host.ip", - "target_field": "host.geo", - "ignore_missing": true - } - } - ] - } - ``` - - In this example, the pipeline ID is `geoip-info`. `field` specifies the field that contains the IP address to use for the geographical lookup, and `target_field` is the field that will hold the geographical information. `"ignore_missing": true` configures the pipeline to continue processing when it encounters an event that doesn’t have the specified field. - - ::::{tip} - An example ingest pipeline that uses the GeoLite2-ASN.mmdb database to add autonomous system number (ASN) fields can be found [here](https://github.com/elastic/examples/blob/master/Security%20Analytics/SIEM-examples/Packetbeat/geoip-info.json). - - :::: - -2. In your Beats configuration files, add the pipeline to the `output.elasticsearch` tag: - - ```yaml - output.elasticsearch: - hosts: ["localhost:9200"] - pipeline: geoip-info <1> - ``` - - 1. The value of this field must be the same as the ingest pipeline name in [step 1](../../../solutions/security/explore/configure-network-map-data.md) (`geoip-info` in this example). - - - -## Map your internal network [private-network] - -If you want to add your network’s internal IP addresses to the map, define geo location fields under the `processors` tag in the Beats configuration files on your hosts: - -```yaml - processors: - - add_host_metadata: - - add_cloud_metadata: ~ - - add_fields: - when.network.source.ip: <1> - fields: - source.geo.location: - lat: - lon: - target: '' - - add_fields: - when.network.destination.ip: - fields: - destination.geo.location: - lat: - lon: - target: '' -``` - -1. For the IP address, you can use either `private` or CIDR notation. - - -::::{tip} -You can also enrich your data with other [host fields](https://www.elastic.co/guide/en/beats/packetbeat/current/add-host-metadata.html). - -:::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index f6ceb9d598..237657926d 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -364,7 +364,6 @@ toc: - file: docs-content/serverless/security-cloud-posture-dashboard-dash-kspm.md - file: docs-content/serverless/security-cloud-posture-dashboard-dash.md - file: docs-content/serverless/security-cloud-workload-protection.md - - file: docs-content/serverless/security-conf-map-ui.md - file: docs-content/serverless/security-configure-endpoint-integration-policy.md - file: docs-content/serverless/security-connect-to-azure-openai.md - file: docs-content/serverless/security-connect-to-bedrock.md diff --git a/solutions/security/explore/configure-network-map-data.md b/solutions/security/explore/configure-network-map-data.md index 290cc0b102..990c057c88 100644 --- a/solutions/security/explore/configure-network-map-data.md +++ b/solutions/security/explore/configure-network-map-data.md @@ -6,22 +6,6 @@ mapped_urls: # Configure network map data -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/conf-map-ui.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-conf-map-ui.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$geo-pipeleine$$$ - -$$$geoip-data$$$ - -$$$kibana-index-pattern$$$ - -$$$private-network$$$ Depending on your {{kib}} setup, to display and interact with data on the **Network** page’s map you might need to: @@ -37,7 +21,7 @@ To see source and destination connections lines on the map, you must configure ` ## Permissions required [prereq-perms] -To view the map, you need a role with at least `Read` [privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#adding_kibana_privileges) for the `Maps` feature. +To view the map in {{stack}} 9.0.0+, you need a role with at least `Read` [privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles.md#adding_kibana_privileges) for the `Maps` feature. In serverless, you need the appropriate [predefined user role](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles) or a [custom role](/deploy-manage/users-roles/cloud-organization/user-roles.md) with at least `Read` privileges for the `Maps` feature. ## Create {{kib}} data views [kibana-index-pattern] @@ -113,7 +97,7 @@ If you use Beats, configure a geoIP processor to add data to the relevant fields pipeline: geoip-info <1> ``` - 1. The value of this field must be the same as the ingest pipeline name in [step 1](/solutions/security/explore/configure-network-map-data.md#geo-pipeleine) (`geoip-info` in this example). + 1. The value of this field must be the same as the ingest pipeline name in step 1 (`geoip-info` in this example). From 63b2442099524e225a487b58edaac0eee0d4e4da Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 16:32:59 +0000 Subject: [PATCH 7/8] users page --- .../serverless/security-users-page.md | 130 ------------------ raw-migrated-files/toc.yml | 1 - solutions/security/explore/users-page.md | 33 +---- 3 files changed, 1 insertion(+), 163 deletions(-) delete mode 100644 raw-migrated-files/docs-content/serverless/security-users-page.md diff --git a/raw-migrated-files/docs-content/serverless/security-users-page.md b/raw-migrated-files/docs-content/serverless/security-users-page.md deleted file mode 100644 index 5070354674..0000000000 --- a/raw-migrated-files/docs-content/serverless/security-users-page.md +++ /dev/null @@ -1,130 +0,0 @@ -# Users page [security-users-page] - -The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. - -:::{image} ../../../images/serverless--getting-started-users-users-page.png -:alt: User's page -:class: screenshot -::: - -The Users page has the following sections: - - -## User KPI (key performance indicator) charts [security-users-page-user-kpi-key-performance-indicator-charts] - -KPI charts show the total number of users and successful and failed user authentications within the time range specified in the date picker. Data in the KPI charts is visualized through linear and bar graphs. - -::::{tip} -Hover inside a KPI chart to display the actions menu (![Actions menu icon](../../../images/serverless-boxesHorizontal.svg "")), where you can perform these actions: inspect, open in Lens, and add to a new or existing case. - -:::: - - - -## Data tables [security-users-page-data-tables] - -Beneath the KPI charts are data tables, which are useful for viewing and investigating specific types of data. Select the relevant tab to view the following details: - -* **Events**: Ingested events that contain the `user.name` field. You can stack by the `event.action`, `event.dataset`, or `event.module` field. To display alerts received from external monitoring tools, scroll down to the Events table and select **Show only external alerts** on the right. -* **All users**: A chronological list of unique user names, when they were last active, and the associated domains. -* **Authentications**: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination. -* **Anomalies**: Unusual activity discovered by machine learning jobs that contain user data. -* **User risk**: The latest recorded user risk score for each user, and its user risk classification. This feature requires the Security Analytics Complete [project feature](../../../deploy-manage/deploy/elastic-cloud/project-settings.md) and must be enabled to display the data. To learn more, refer to our [entity risk scoring documentation](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md). - -The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to [Manage detection alerts](../../../solutions/security/detect-and-alert/manage-detection-alerts.md). - - -## User details page [security-users-page-user-details-page] - -A user’s details page displays all relevant information for the selected user. To view a user’s details page, click its **User name** link from the **All users** table. - -The user details page includes the following sections: - -* **Asset Criticality**: This section displays the user’s current [asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md). -* **Summary**: Details such as the user ID, when the user was first and last seen, the associated IP address(es), and operating system. If the entity risk score feature is enabled, this section also displays user risk score data. -* **Alert metrics**: The total number of alerts by severity, rule, and status (`Open`, `Acknowledged`, or `Closed`). -* **Data tables**: The same data tables as on the main Users page, except with values for the selected user instead of for all users. - -:::{image} ../../../images/serverless--getting-started-users-user-details-pg.png -:alt: User details page -::: - - -## User details flyout [security-users-page-user-details-flyout] - -In addition to the user details page, relevant user information is also available in the user details flyout throughout the {{elastic-sec}} app. You can access this flyout from the following places: - -* The Alerts page, by clicking on a user name in the Alerts table -* The Entity Analytics dashboard, by clicking on a user name in the User Risk Scores table -* The **Events** tab on the Users and user details pages, by clicking on a user name in the Events table -* The **User risk** tab on the user details page, by clicking on a user name in the Top risk score contributors table -* The **Events** tab on the Hosts and host details pages, by clicking on a user name in the Events table -* The **Host risk** tab on the host details page, by clicking on a user name in the Top risk score contributors table - -The user details flyout includes the following sections: - -* [User risk summary](../../../solutions/security/explore/users-page.md#security-users-page-user-risk-summary), which displays user risk data and inputs. -* [Asset Criticality](../../../solutions/security/explore/users-page.md#security-users-page-asset-criticality), which allows you to view and assign asset criticality. -* [Insights](../../../solutions/security/explore/users-page.md#user-insights), which displays misconfiguration findings for the user. -* [Observed data](../../../solutions/security/explore/users-page.md#security-users-page-observed-data), which displays user details. - -:::{image} ../../../images/serverless--user-details-flyout.png -:alt: User details flyout -:class: screenshot -::: - - -### User risk summary [security-users-page-user-risk-summary] - -::::{admonition} Requirement -:class: note - -The **User risk summary** section is only available if the [risk scoring engine is turned on](../../../solutions/security/advanced-entity-analytics/turn-on-risk-scoring-engine.md). - -:::: - - -The **User risk summary** section contains a risk summary visualization and table. - -The risk summary visualization shows the user risk score and user risk level. Hover over the visualization to display the **Options** menu (![Options menu](../../../images/serverless-boxesHorizontal.svg "")). Use this menu to inspect the visualization’s queries, add it to a new or existing case, save it to your Visualize Library, or open it in Lens for customization. - -The risk summary table shows the category, score, and number of risk inputs that determine the user risk score. Hover over the table to display the **Inspect** button (![Inspect](../../../images/serverless-inspect.svg "")), which allows you to inspect the table’s queries. - -To expand the **User risk summary** section, click **View risk contributions**. The left panel displays additional details about the user’s risk inputs: - -* The asset criticality level and contribution score from the latest risk scoring calculation. -* The top 10 alerts that contributed to the latest risk scoring calculation, and each alert’s contribution score. - -If more than 10 alerts contributed to the risk scoring calculation, the remaining alerts' aggregate contribution score is displayed below the **Alerts** table. - -:::{image} ../../../images/serverless--user-risk-inputs.png -:alt: User risk inputs -:class: screenshot -::: - - -### Asset Criticality [security-users-page-asset-criticality] - -The **Asset Criticality** section displays the selected user’s [asset criticality level](../../../solutions/security/advanced-entity-analytics/asset-criticality.md). Asset criticality contributes to the overall [user risk score](../../../solutions/security/advanced-entity-analytics/entity-risk-scoring.md). The criticality level defines how impactful the user is when calculating the risk score. - -:::{image} ../../../images/serverless--user-asset-criticality.png -:alt: Asset criticality -:class: screenshot -::: - -Click **Assign** to assign a criticality level to the selected user, or **Change** to change the currently assigned criticality level. - - -### Insights [user-insights] - -The **Insights** section displays [Misconfiguration Findings](../../../solutions/security/cloud/findings-page.md) for the user. Click **Misconfigurations** to expand the flyout and view this data. - - -### Observed data [security-users-page-observed-data] - -This section displays details such as the user ID, when the user was first and last seen, and the associated IP addresses and operating system. - -:::{image} ../../../images/serverless--user-observed-data.png -:alt: User observed data -:class: screenshot -::: diff --git a/raw-migrated-files/toc.yml b/raw-migrated-files/toc.yml index 237657926d..1c9b513031 100644 --- a/raw-migrated-files/toc.yml +++ b/raw-migrated-files/toc.yml @@ -434,7 +434,6 @@ toc: - file: docs-content/serverless/security-tune-detection-signals.md - file: docs-content/serverless/security-turn-on-risk-engine.md - file: docs-content/serverless/security-ui.md - - file: docs-content/serverless/security-users-page.md - file: docs-content/serverless/security-view-alert-details.md - file: docs-content/serverless/security-visual-event-analyzer.md - file: docs-content/serverless/security-visualize-alerts.md diff --git a/solutions/security/explore/users-page.md b/solutions/security/explore/users-page.md index 5f968a6f73..02cd412855 100644 --- a/solutions/security/explore/users-page.md +++ b/solutions/security/explore/users-page.md @@ -6,37 +6,6 @@ mapped_urls: # Users page -% What needs to be done: Align serverless/stateful - -% Use migrated content from existing pages that map to this page: - -% - [x] ./raw-migrated-files/security-docs/security/users-page.md -% - [ ] ./raw-migrated-files/docs-content/serverless/security-users-page.md - -% Internal links rely on the following IDs being on this page (e.g. as a heading ID, paragraph ID, etc): - -$$$user-details-flyout$$$ - -$$$user-details-page$$$ - -$$$user-risk-summary$$$ - -$$$user-asset-criticality-section$$$ - -$$$user-insights$$$ - -$$$user-observed-data$$$ - -$$$security-users-page-user-details-page$$$ - -$$$security-users-page-user-details-flyout$$$ - -$$$security-users-page-user-risk-summary$$$ - -$$$security-users-page-asset-criticality$$$ - -$$$security-users-page-observed-data$$$ - The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. :::{image} ../../../images/security-users-page.png @@ -65,7 +34,7 @@ Beneath the KPI charts are data tables, which are useful for viewing and investi * **All users**: A chronological list of unique user names, when they were last active, and the associated domains. * **Authentications**: A chronological list of user authentication events and associated details, such as the number of successes and failures, and the host name of the last successful destination. * **Anomalies**: Unusual activity discovered by machine learning jobs that contain user data. -* **User risk**: The latest recorded user risk score for each user, and its user risk classification. This feature requires a [Platinum subscription](https://www.elastic.co/pricing) or higher and must be enabled to display the data. Click **Enable** on the **User risk** tab to get started. To learn more, refer to our [entity risk scoring documentation](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). +* **User risk**: The latest recorded user risk score for each user, and its user risk classification. In {{stack}} 9.0.0+, this feature requires a [Platinum subscription](https://www.elastic.co/pricing) or higher. In serverless, this feature requires the Security Analytics Complete [project feature](/deploy-manage/deploy/elastic-cloud/project-settings.md). Click **Enable** on the **User risk** tab to get started. To learn more, refer to our [entity risk scoring documentation](/solutions/security/advanced-entity-analytics/entity-risk-scoring.md). The Events table includes inline actions and several customization options. To learn more about what you can do with the data in these tables, refer to [*Manage detection alerts*](/solutions/security/detect-and-alert/manage-detection-alerts.md). From 891f75a17994d30e37728466fded06b607bc5b67 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 19 Feb 2025 16:36:01 +0000 Subject: [PATCH 8/8] fix links --- .../docs-content/serverless/ingest-aws-securityhub-data.md | 2 +- .../serverless/ingest-third-party-cloud-security-data.md | 2 +- raw-migrated-files/docs-content/serverless/ingest-wiz-data.md | 2 +- .../docs-content/serverless/security-alerts-manage.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md b/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md index 76c470d619..d0b3b2efc4 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-aws-securityhub-data.md @@ -13,4 +13,4 @@ In order to enrich your {{elastic-sec}} workflows with third-party cloud securit After you’ve completed these steps, AWS Security Hub data will appear on the **Misconfigurations** tab of the [**Findings**](../../../solutions/security/cloud/findings-page.md) page. -Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. +Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from AWS Security Hub, the findings will appear on the [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. diff --git a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md index a8edc28369..985fa76399 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-third-party-cloud-security-data.md @@ -14,7 +14,7 @@ You can ingest third-party cloud security alerts into {{elastic-sec}} to view th ## Ingest third-party security posture and vulnerability data [_ingest_third_party_security_posture_and_vulnerability_data] -You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. +You can ingest third-party data into {{elastic-sec}} to review and investigate it alongside data collected by {{elastic-sec}}'s native cloud security integrations. Once ingested, cloud security posture and vulnerability data appears on the [Findings](../../../solutions/security/cloud/findings-page.md) page and in the entity details flyouts for [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section), [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. * Learn to [ingest cloud security posture data from AWS Security Hub](../../../solutions/security/cloud/ingest-aws-security-hub-data.md). * Learn to [ingest cloud security posture and vulnerability data from Wiz](../../../solutions/security/cloud/ingest-wiz-data.md). diff --git a/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md b/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md index 6e93de2a50..b307b87af2 100644 --- a/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md +++ b/raw-migrated-files/docs-content/serverless/ingest-wiz-data.md @@ -21,4 +21,4 @@ After you’ve completed these steps, Wiz data will appear on the **[**Misconfig :alt: Wiz data on the Findings page ::: -Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [users](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. +Any available findings data will also appear in the entity details flyouts for related [alerts](../../../solutions/security/detect-and-alert/view-detection-alert-details.md#insights-section). If alerts are present for a user or host that has findings data from Wiz, the findings will appear on the [users](/solutions/security/explore/users-page.md#user-details-flyout), and [hosts](/solutions/security/explore/hosts-page.md#host-details-flyout) flyouts. diff --git a/raw-migrated-files/docs-content/serverless/security-alerts-manage.md b/raw-migrated-files/docs-content/serverless/security-alerts-manage.md index 55cba4a2de..239387c92e 100644 --- a/raw-migrated-files/docs-content/serverless/security-alerts-manage.md +++ b/raw-migrated-files/docs-content/serverless/security-alerts-manage.md @@ -22,7 +22,7 @@ The Alerts page offers various ways for you to organize and triage detection ale ![View details button](../../../images/serverless--detections-view-alert-details.png "") * View the rule that created an alert. Click a name in the **Rule** column to open the rule’s details. -* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the [host details flyout](/solutions/security/explore/hosts-page.md#host-details-flyout), or a user name to open the [user details flyout](../../../solutions/security/explore/users-page.md#security-users-page-user-details-flyout). +* View the details of the host and user associated with the alert. In the Alerts table, click a host name to open the [host details flyout](/solutions/security/explore/hosts-page.md#host-details-flyout), or a user name to open the [user details flyout](/solutions/security/explore/users-page.md#user-details-flyout). * Filter for a specific rule in the KQL bar (for example, `kibana.alert.rule.name :"SSH (Secure Shell) from the Internet"`). KQL autocomplete is available for `.alerts-security.alerts-*` indices. * Use the date and time filter to define a specific time range. By default, this filter is set to search the last 24 hours. * Use the drop-down filter controls to filter alerts by up to four fields. By default, you can filter alerts by **Status**, **Severity***, ***User**, and **Host**, and you can [edit the controls](../../../solutions/security/detect-and-alert/manage-detection-alerts.md#drop-down-filter-controls) to use other fields.